Hi,
I can't understand well what do you ask for. But I can to explain how it
works. The kernel emits IN_CLOSE_WRITE or IN_CLOSE_NOWRITE in dependence
whether the file was open for writing or not. For example:
FILE* f = fopen("file.txt", "w");
...
fclose(f);
This code emits IN_CLOSE_WRITE. And this code:
FILE* f = fopen("file.txt", "r");
...
fclose(f);
...emits IN_CLOSE_NOWRITE. If you want to monitor only one of these
events then use IN_CLOSE_WRITE or IN_CLOSE_NOWRITE respectively. But if
you want to monitor both of these events you must use both of those
bitmasks (which means IN_CLOSE_WRITE | IN_CLOSE_NOWRITE in C/C++ code
and IN_CLOSE_WRITE,IN_CLOSE_NOWRITE in the incron table) or simply
IN_CLOSE. In other words, IN_CLOSE is only a combined (ORed) mask for
monitoring, not an event type itself. The same applies for IN_MOVE
(which combines IN_MOVED_FROM and IN_MOVED_TO) and IN_ALL_EVENTS (which
combines all monitorable events).
Is it clear? If not please specify your question a more understandable way.
Regards,
Lukas
> Hi,
>
> I'm trying to use incron to invoke a program whenever some files change.
> e.g.
>
> /var/log/snort/snort.last IN_CLOSE_WRITE /some/program /var/log/snort/snort.last
>
> /var/log/snort/snort.last is created by a conventional cron job, which does
> a cp of /var/log/snort/alert to /var/log/snort/snort.last on a 5 minute
> interval.
>
> This rule only seems to execute once after restarting incron, and never
> again (despite the copies running every 5 minutes).
>
> I started trying to debug what was going on, by using inotify_test from
> inotify-utils-0.25. According to it, it's seeing:
>
> MODIFY (file) 0x00000002
> FILENAME=snort.last
>
> OPEN (file) 0x00000020
> FILENAME=snort.last
>
> MODIFY (file) 0x00000002
> FILENAME=snort.last
>
> CLOSE (file) 0x00000008
> FILENAME=snort.last
>
> So basically no IN_CLOSE_WRITE, which is not what I'd expect to see for a
> file copy. I even tried adding --remove-destination, but I still don't get
> an IN_CLOSE_WRITE.
>
> I tried seeing what iwatch saw, and it sees:
>
> [10/Dec/2010 18:24:03] IN_MODIFY /var/log/snort/snort.last
> [10/Dec/2010 18:24:03] IN_OPEN /var/log/snort/snort.last
> [10/Dec/2010 18:24:03] IN_MODIFY /var/log/snort/snort.last
> [10/Dec/2010 18:24:03] IN_CLOSE_WRITE /var/log/snort/snort.last
> [10/Dec/2010 18:24:03] * /var/log/snort/snort.last is closed
>
> which is what I was expecting to see. Why this inconsistency?
>
> So I'm assuming that incron is seeing what inotify_test is seeing, and
> iwatch is seeing what I'd expect incron to be seeing.
>
> My understanding of IN_CLOSE is that it's like an aggregate of
> IN_CLOSE_WRITE and IN_CLOSE_NOWRITE, and so I thought you'd only use this as
> a mask for events you wanted to see, and it'd never be emitted itself.
>
> What am I missing here?
>
> regards
>
> Andrew
>
Received on Tue Jun 05 2012 - 22:14:21 CEST
This archive was generated by hypermail 2.2.0 : Tue Jun 05 2012 - 22:14:21 CEST